Skillv1.0.1

ClawScan security

word-document-organizer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 10, 2026, 9:47 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: This is an instruction-only skill that plausibly implements Word (.docx) formatting, TOC generation and style application using python-docx and local file operations; nothing in the bundle suggests hidden or unrelated behavior, but there are minor implementation inconsistencies you should know about.
Guidance: This skill is instruction-only and edits local files: only provide paths to documents you trust and keep a separate copy. It will run a pip3 install for python-docx (which can execute code at install time) and will create a timestamped backup next to the original file but will otherwise overwrite the original unless you specify output_path — so specify an output_path or test on a copy first. Note the doc/.docx inconsistency: .doc (old binary Word) is likely unsupported by python-docx, so use .docx files. If you want extra safety, run the commands in a disposable environment (virtualenv or container) and inspect the SKILL.md before use.

Review Dimensions

Purpose & Capability: okThe name/description (organize Word documents, format, generate TOC, apply templates) matches the instructions: the SKILL.md describes checking a document path, backing up the file, installing python-docx, and running a Python script that edits docx contents. Required capabilities (filesystem access to the provided document path and ability to run python/pip) are consistent with the stated purpose.
Instruction Scope: noteInstructions stay within the documented purpose (open the provided file path, create a backup, modify the document, save). No steps reference unrelated files, secrets, or external endpoints. Two implementation issues: SKILL.md allows both .docx and .doc in checks, but the code uses python-docx which only supports .docx — .doc files are likely unsupported and will fail. Also the script will create a backup near the original file and, by default, overwrite the original unless an output_path is provided; users should be warned to provide an output_path to avoid data loss.
Install Mechanism: okThere is no packaged installer; the script runs pip3 install python-docx if needed. This is a common, proportionate install for the stated task. Note: pip installs execute package install-time code and may modify the Python environment; running inside a virtualenv is safer but not required by the skill.
Credentials: okThe skill requests no environment variables, credentials, or config paths. It only needs read/write access to the document path you supply and to be able to run python/pip — this is proportional to a document-organizing tool.
Persistence & Privilege: okThe skill does not request always: true and has no install artifacts beyond running pip. It does not modify other skills or system-wide agent configuration. Its runtime actions are limited to local file operations and installing a Python package if absent.